The topic I'm going to talk about today is Anti-Intelligence Projects, Self-Defense and Data Restoration Methods.
In fact, it used to be another name, which is how to use a self-defense system to test IoT devices.
However, Dawei gave me a better name.
Anyway, the content is almost the same.
I will briefly introduce myself.
I am a senior security officer at Baidu Safety Laboratory.
I am currently studying IoT security and I have recently done some maintenance work on drones.
I have broken down many hardware devices.
Let's take a look at our big picture today.
First of all, we have a lot of IoT devices connected to the network, such as a machine gun and an automatic fire engine.
The purpose and testing methods of these devices are how to achieve self-reliance.
That is to say, how to make these devices work.
These devices are automatically linked to our machine gun system and then attack its traffic.
Then I will also talk about how to build an IoT, that is, a 4G machine gun system.
Finally, I will introduce some leakage capabilities and some other methods of testing through the internal network of the application.
First of all, the purpose and principles of testing.
I think the purpose is more important here.
It is to build a machine gun testing system.
To assist our IoT devices in testing.
That is to say, I use this system to help me to dig the hole of the IoT device.
Then others, for example, also understand the security risks of this part and so on.
But there is a test procedure here.
That is to say, when we are testing, we strictly follow the relevant laws.
For example, the picture on the right is a closed box.
Because according to the national law, if you send a large power of this wireless radio interference to other devices, it is actually not allowed.
So we suggest that it is in this closed box.
Or do relevant tests in some closed basement.
OK.
Our purpose of testing is actually to control the flow.
What does control the flow include?
For example, I need to control my shared bicycle.
Or control my automatic truck.
Or control my IoT device that has a network and SIM card.
For example, the flow of my car system.
It mainly includes three aspects.
One is to get the flow.
That is, what content is passed on to the cloud.
Another is to modify the flow.
For example, if I do some middleman attack.
To modify its configuration.
Another is to visit.
When I control the IP network.
In fact, I can visit some ports of this IoT device.
Some ports are risky.
Let's take a look at some specific ways to find out the path of these IoT devices.
The first point is to get the interface of the cloud.
That is to say, if I can get, for example, the communication of my post machine and the cloud.
I can get the IP of the cloud.
Its domain name.
Its interface.
Then it will turn into a security test based on this kind of external public defense.
This is one of the methods.
The second is to get its communication data.
Get some sensitive information.
For example, it transmits some tokens.
Its some password.
Through this, we can use our Python or my laptop computer.
Re-use this information to log in.
Or modify the data.
Modify the data means.
For example, it is.
Many devices have automatic upgrade function.
I put the automatic upgrade request to the stage.
At the same time, I go to modify its flow rate.
Then I can guide it to upgrade a malicious component.
There is also a way.
Is to visit the
IOT device.
In fact, it is to open some ports.
For example, some car systems.
When I give this IP network.
I can visit these ports.
OK.
It may be divided into two parts.
There are two test needs.
One is before the attack.
For example, I only need to get its communication data.
This kind of thing does not need our client to connect.
Any client to automatically log into my system.
Only need my client to be able to log in for the first time.
To realize this method.
Use some GSM and LTE test stations.
OK.
Another one is to attack.
That is to say.
I need my client to automatically connect to my base station system.
And then modify its flow rate.
This kind of thing.
We need to build my GSM attack base station.
After this base station is built.
How do I get my device to automatically connect to this base station?
By modifying some community selection parameters.
I will talk about it later.
To experience this scene.
Let's take a look at how I achieve the attack base station.
That is to say.
Let my client.
Let my pose machine.
Automatically and unconditionally connect to my test station.
And modify its flow rate.
This is a case of Tencent's attack base station.
They used this USRP software wireless device.
And OpenBTS.
This kind of open base station system.
They went to find an internal storage error loophole of a browser.
At the same time, it modified the flow rate.
Let this loophole.
When I browse NetEase.
Go to.
To modify the HTTP content.
Added some malicious HTTP.
So when I browse NetEase.
This browser loophole can be triggered.
Achieved the final RCE.
That is, long-term invisible execution.
Let's take a look at what 234G we just talked about.
What does it mean?
RG is GSM.
In fact, GSM is still problematic now.
3G, 4G is RTE.
In the future, it will be 5G.
In fact, for example, in the 2G era.
Our transmission speed.
The speed is very limited.
For example, it's about 5K per second.
4G, you can watch some online high-end videos very well.
So it's actually improving.
Many technologies are upgrading to 2G, 3G, 4G.
In fact, at the initial stage.
GSM.
At the beginning of the design.
There are some security problems.
It actually has serious security risks.
Some people will say.
So now a lot of.
For example, China United.
2G has already retired.
This kind of problem will not exist.
In fact, it is not.
The reason for the problem is not in the operator.
But in the equipment.
Equipment.
Although the operator has no 2G network.
But your equipment will still support this kind of GSM.
So this kind of security problem will exist for a long time.
Let's take a closer look at some of the security problems of GSM.
What exactly is it?
At the beginning of the design.
GSM uses single-way authentication.
That is to say, the base station.
If the mobile phone or the client.
Can't verify the true end of the base station.
So there was a security problem.
Then the tailgate station came into play.
We may often receive some of this.
A1 messages.
For example, there is one in here.
What do you win?
Some of these links.
That's what the tailgate station sent you.
In fact, what did the tailgate station do to you?
Just sent you a content and this.
The code can be customized.
A message.
There is nothing else.
Let's take a look at the inside of the tailgate station.
It uses some collection boards.
The blue one on the right is a.
This wireless collection board.
In some amplifiers.
It uses OpenPTS in the software part.
That is, an open source GSM base station system.
Through software simulation.
Add some collection equipment.
It has achieved the base station system.
So what did the tailgate station do?
When you get close to the tailgate station.
It will suck you into the base station.
And send you a message.
And then kick you out.
It only did this.
But why do we talk about this?
It's a little different.
It will suck you in.
How does it suck you in?
We found out through its software and hardware research.
It changed a parameter.
It's very important.
It changed the community from far parameter.
C1 and C2 value.
It has been modified.
Modified to a very large value.
It may be C1 and C2.
This is a biased number.
Or it's just one.
If C1 and C2 are very large.
It means that this base station is very hot.
And then it's very attractive.
Will suck all around.
That is, Client will choose C1 and C2 first.
A very large base station to connect.
So we borrow from the tailgate station.
Of course, we can't mess up the message.
Interrupt them.
And I just need.
To realize its ability to suck Client in.
At the same time.
I need to do something that the tailgate station didn't do.
Is to control its GPRS.
So how do we do it?
It can be achieved by using this software wireless equipment.
We simply introduce the software wireless equipment.
It is a kind of equipment that can receive wireless radio waves at will.
Then our software part.
Use the open source GSM BTS.
The software is possible.
I recommend YTE BTS.
Because it is very easy to install.
Compared to others.
At the same time.
It is visible.
There is an external interface.
Then hardware.
We recommend using Blade RF.
Because its frequency is very accurate.
The frequency is very accurate.
So after selecting.
I was still the same question.
How do I let my.
For example, my pose machine.
Or because there are a lot of pose machines now.
Or bicycle.
In fact, they are all using 2G.
Of course, it doesn't matter to use 4G.
You can give it a forced 2G.
So how to achieve it.
Let it automatically suck into my base station.
We found.
In these base station software.
I set the C2 parameter.
It is not effective.
So we finally.
We look at the picture in the upper right corner.
We put the C2 value in the original code.
Give it.
Calculated.
That is to say.
Press the code to the maximum value.
What about the others.
We need to configure some other parameters.
MIC and MNC.
Is the national code.
And the operating code.
For example.
China is connected.
Is 46001.
Then write these codes.
As the same code as the current SIM card.
The same configuration parameters.
There is also a selection.
A teaching point.
Because of the time.
I won't talk about the selection of this screen.
So.
After these are realized.
Let's take a look.
The picture in the lower left corner.
Is an engineering test machine.
Engineering test machine.
The upper right corner of the engineering test machine.
It shows that the C2 value is 201.
Usually the C2 value is 67.
So now the C2 value.
Has reached a state of reporting.
So.
Our fake base station.
In.
You can just put it around.
All the 2G facilities.
Will be absorbed in.
OK.
Other some configuration.
That is to say.
Some details of the configuration.
In the front of this web machine.
Everyone.
Let's take a look.
For example.
How to configure.
MNC.
How to choose a screen.
Or.
How to go.
This.
Close the firewall.
And this.
Add IP transfer.
In this way.
We can use.
Wireshark.
Or.
This.
For the data bag.
Embraer.
Use this.
Build.
For the data bag.
For this.
MITM.
And so on.
But there is another.
IMSI.
That is.
SIM card.
A number.
We need to configure.
This.
Equipment.
In.
But.
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and see what traffic it has in the cloud.
Or use BUP to intercept the HTTP package it sent
and modify the parameters.
Or visit the IP of this device directly on my laptop.
It may have opened Telenet or something.
I can scan it.
OK, this is what we talked about, 2G.
Then let's see how to build this LTE test station,
which is a 4G test station.
Why build this test station?
If we only need to do some tests,
for example, I only need to get its traffic,
and don't need to let it be sucked in in real time,
or I need to test it quickly,
because, for example, it is very slow to scan the terminal in 2G.
It will be very fast in 4G.
I can tell you how to build this LTE 4G test station.
Because LTE uses dual-line authentication,
we need to solve this authentication problem.
For example,
how can we solve this authentication problem?
Let's first briefly introduce LTE system.
It may contain UE, EPC, and eNodeB.
UE means our client, which is my mobile phone.
You don't need to care about this part.
EPC can be understood as a central control host.
eNodeB may be a video unit.
I just need to build up EPC and eNodeB on my computer,
and that's OK.
We will choose to open this SDR LTE,
which is an open source software.
You may be very familiar with OAI,
but it is very complicated to install.
I don't recommend you to install it.
We can use SRS LTE.
It is very easy to install and use.
It is suitable for security personnel to do security analysis.
OK.
Let's take a look at how we can use software wireless power
to build this LTE test station.
We first download and edit EPC and eNodeB.
At the same time, I choose hardware system.
I recommend U3P B200.
It is relatively cheap and stable.
B200 Mini is relatively small.
Blade RF XA4 does not take up system resources.
OK.
After selecting software hardware,
let's see how to write a card.
Because I just said 4G is a dual-line authentication.
In order to solve dual-line authentication,
I need to write a card that allows the mobile phone
to verify the SIM card of the station.
I need to buy a card reader
and a blank LTE SIM card.
In fact, this SIM card is not sold in Taobao.
You need to buy it in a formal way.
At the same time, it is limited to test use.
You must limit the use of the test.
OK.
Our tasks just now are
to select software hardware and then write a card.
Let's take a look now
how to configure software.
The configuration is still the same as before.
Configure PRMN,
that is to say, configure national code and operator code.
For example, I configure 46001.
This is a Chinese-language communication.
Configure some common operators.
Then you need to configure APN.
Configure the screen.
If the device may only support a few screens,
then you can choose half 1 and half 7.
This kind of screen that everyone supports.
Then set IP transfer.
Then write a card.
This will write these three parameters.
Let's see how to write a card.
First of all,
for example, I need to simulate a Chinese-language communication.
I need to write the first five as 46001,
and the rest as whatever.
Then I fill in this number
to the IMSI in the software in my lower right corner.
At the same time,
in user.csv,
this user.csv is
what we just said, srslte,
that is, in the base software,
it is responsible for verifying a configuration file.
In the configuration file,
there are ki and op or opc.
ki and opc,
they are two keys.
Write these two keys
into my shortcut software at the same time.
At the same time,
put the IMSI,
that is, the IMSI I just wrote in the card,
replace it with the user.csv IMSI.
Finally,
our purpose is to ensure that
ki, op and IMSI
these three parameters
are exactly the same
in my base software
and in my card.
OK.
After writing,
we also choose some correct algorithms.
In this way,
I now open my phone
and I can search for this user.csv.
I can connect to this 4G base.
But now it is manually searching,
and there may be some slow-moving problems.
I need to manually click to allow slow-moving.
At the same time,
if the API is wrong,
it may still not be able to access the network.
To solve these problems,
we need to click to manually search the network
in our phone every time.
But some of us,
for example,
the 4G post machine
or the 4G delivery machine
may not be able to search manually.
So I need to set the IMSI
to be the same as the common IMSI.
For example,
the machine is made in China.
So I set the country code
and the user code
to be the common one,
for example, 46001.
At the same time,
there are often some problems
that the API does not match.
For example,
for Android mobile phones,
for example,
for some shared 4G,
using 4G modules,
or some 4G modules,
they all have some pre-set API.
For example,
if your user code is 46001,
it will automatically use 3G NAT,
this kind of API.
So in this software,
in our SDR software,
it also needs to be set to the corresponding APN,
so that it can be realized.
I don't need to search manually.
And this APNOK,
under the authority of APNOK,
the IP connection can be established.
So I just set up all the settings.
I wrote the card.
I wrote the country code
and the user code.
In this way,
I can run this EPC and eNodeB.
So,
my 4G base station runs.
And this is
the material and equipment
we use for these SIM cards.
Let's give two simple examples.
We just talked about some 2G bases
and a 4G base station.
We talked about a few
very obvious examples.
Because of the time,
I won't talk about a lot of complicated things.
For example,
this is the problem of the leak
of the new configuration of two watches.
We use GSM or GPRS
the flow of carbon.
For example,
in the upper left corner,
I can see the user code of this watch.
In fact,
this user code,
I can use my Python
to rewrite a script
in my notebook
to log in.
So,
the original watch log in
has been lost.
So,
hacker can use the computer
to communicate
with the parents' APP.
In the lower right corner,
this is another watch.
So,
when another watch starts up,
it will get the configuration parameters.
For example,
what is the phone number of my father?
What is the phone number of my father?
So,
I use build to cut it off
and then
modify the phone number of my father
to the hacker's phone number.
So,
when the child calls the father in the future,
it will call the hacker.
For example,
this is a shared single-seater.
When we grab its flow,
we find that
it uses HTTP to communicate.
However,
all the content is encrypted.
So,
we also analyze its volume.
Also,
we take it down
and analyze it in IDA.
Then,
we analyze its encryption process.
Finally,
we can see
that it can be completely decoded.
After the decoding,
we can get the password for each unlock.
Or,
I can guide it.
Because I decoded all the encrypted HTTP,
I can guide it to upgrade maliciously.
For example,
upgrade it to the part I want
for the shared single-seater.
This is a device.
It is a 4G module.
This 4G module
monitors a certain terminal.
Then,
it analyzes and analyzes the terminal.
It found that there is a password input.
So,
we connect it to our base station
through the base station system.
At the same time,
I visit this terminal.
So,
I run 4G module
remote RCE.
This is a demonstration.
This is a backup Wi-Fi.
It is a backup Wi-Fi for a memory card.
During the boot time,
because I run
the 4G LTE test base station,
the moment I boot,
Because the configuration system in it has been configured to be normal,
it has automatically connected to the base station.
At the same time, I found a mobile phone to connect to the 4G Wi-Fi,
so that it can be online.
In other words, all traffic can be in my computer,
because all traffic flows into my computer.
When I use my mobile phone to browse the Internet,
all traffic can actually be seen in my laptop,
in my base station system.
At the same time, if I go to visit the port of the Wi-Fi,
because this Wi-Fi actually has a 4G card,
I go to visit its port,
and I can directly control its TileNet.
OK.
Then I will tell you another application.
This is an example of attacking the user's internal network.
For example, when our mobile phone connects to the 4G network,
it will get...
In fact, the current users do not pay much attention to security,
so our mobile phones will get an internal network address of 10 or 172.
We are all mutual.
Buy two identical SIM cards,
the same 4G card,
and then there is a high probability that it will be distributed to one internal network.
For example, A can visit B,
so I can test B's security issues at the port.
If it is private,
private APN,
we can't talk about private APN here.
Private APN will definitely be distributed to the same internal network.
If this is distributed,
we can carry out our security tests.
This is a video of testing using the user's internal network.
We are now in a private APN network.
In fact, this is one of my...
My notebook is connected to the hot spot of my mobile phone.
Then I use my notebook to scan this 10 network.
Then I go to scan the 10 network.
Who opened the 55 port?
When I go to the package,
I use Wireshark to see.
You will find that there are a lot of clients to return this TCP RST.
That is to say, these clients exist,
but they didn't open these ports.
Then we found a client who opened the 55 port.
In fact, this is a pre-prepared client of us.
We can connect this ADB client directly.
So this internal network is all mutual.
I connect this,
it may be the opposite end,
but it is also a mobile phone.
After connecting to the other end of the mobile phone,
I can use the other end of the mobile phone to test
the security problems of my Wi-Fi port at any time.
There are some other problems.
For example,
study the loophole of the base station system.
There are also some studies of IoT protocol standards.
I won't tell you about this part of the time.
I won't tell you about this part of the time.
Today's sharing,
because the time is relatively short,
and the speech is relatively fast.
Do you have any questions?
If there is no question,
we will be OK today.
Thank you all.
